Oracle Reverts: Backup Oracle

[bh2smith]

Based on the document shared in #14 on ChainLink Oracle DeFi Attacks it seems that we should consider implementing some backup/fallback oracle logic to prevent the contract from being permanently "bricked" (cf "Unhandled Oracle Revert Denial Of Service").

try oracle.latestRoundData() returns (
    uint80 roundId,
    int256 answer,
    uint256 startedAt,
    uint256 updatedAt,
    uint80 answeredInRound
) {
    // Normal price feed logic
} catch {
    // Fallback logic here, for example:
    // 1. Use a secondary oracle
    // 2. Use a time-weighted average price (TWAP)
    // 3. Use the last valid price with a timeout
}

TWAP seems like a reasonable suggestion, but I wonder if we might just leave it open/abstract for the oracle owner to implement...

contract LPOracle {
    address public oracle;
    address public backupOracle;
    
    // Allow updating oracle addresses
    function updateOracle(address newOracle) external onlyOwner {
        oracle = newOracle;
    }
    
    function updateBackupOracle(address newBackupOracle) external onlyOwner {
        backupOracle = newBackupOracle;
    }
    
    function getPrice() external returns (uint256) {
        try IOracle(oracle).getPrice() returns (uint256 price) {
            return price;
        } catch {
            // Try backup oracle
            return IOracle(backupOracle).getPrice();
        }
    }
}

[lumoswiz]

Definitely some things to consider. I currently think about it this way:

• We should keep our implementation simple and let contracts that digest our price feed handle it as they wish.
• To do the above, they require some info about the underlying price feeds. For example, the updatedAt params for both feeds in order to assess how stale they are. Currently we only pass on one updatedAt value - what if they're both stale?

For example, AaveOracle enables updating price feeds/setting fallback oracles, etc.